cryptostorm's community forum

Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Ask yourself a question, how much do you really know about keeping your identity safe online? I’m smart enough to admit that I do not have the expertise to make definitive judgments about best practices which is why I am doing this write-up. I *want* holes poked in my ideas, there may be attack vectors that I have not considered. My professional background is not in security, at least not in the sense that would be assumed by this type of post. Now on to the meat of the subject, what are some risk factors that I do not see being discussed that I view as essential considerations?

Being secure is going to cost you time, money, but not necessarily a lot of either. The most important thing to remember is that even with a “perfect” system, you are your own worst enemy. Your identity is only as safe as you keep it. It is only as safe as it is separate from your online persona. If you use your personal gmail over TOR, you are exposing a link between your real identity and your online persona.

Any activities that are going to be performed that could result in a visit by "Law Enforcement" gangs should be separate from EVERYTHING else you do. It should not be understated that you should never, at any time, use closed source software(Windows/MacOS) while undertaking any activities frowned upon in your jurisdiction if you value your freedom. This includes running Windows as the host operating system and Backtrack/Tails/etc in a virtual machine, don't do it.

Risks when using Windows:

1. Windows Update - How easy would it be for Microsoft, a known collaborator with the NSA, to collect:

a. MAC address (for all interfaces)
b. CPU serial number
c. motherboard/laptop serial number
d. make and model of your device
e. a copy of the ARP table
f. the list of saved SSIDs and MACs(does it save MACs?) from the network manager
g. Computer Name
h. the local broadcasting SSIDs with MAC addresses

For all we know, Microsoft already does some or all of this. None of this data specifically tells anyone who you are(Unless you make the hostname your real name, like any Mac OS machine will do by default), but it does a lot to tell them where you are. Item "h" is the most damning. If your local WiFi access points' MAC addresses are known, your location is likely known, unless you are in a very isolated location with all new access points that have NEVER been active in any more densely populated areas.

Given the previous statement, it would be prudent for you to physically REMOVE your wireless network card before even considering starting anything. It is an inconvenience, but also a big security risk. There are ways to still have wireless connectivity without this security hole.

To demonstrate my point about the danger of WiFi, I searched for a video of someone using airodump on youtube. There are numerous tutorials and almost all of them will show the screen with bssids of all the local access points.

Search nearby for *, this will give a dot for the building that is being pointed to, notice the business name Cevallos Lofts matches nicely with the SSIDs of CL.

This is just one example, search for “BSSID PWR Beacons #Data, #/s” on google and what you will find is numerous people posing the equivalent of GPS coordinates to their homes.

Consider the FOXACID attack by the NSA. What if it had executed and recorded the results of the command “netsh wlan show all” which does not trigger UAC? Go ahead, run it on your own Windows Vista or newer Windows machine. You will observe your own MAC address, your card make and model, and the details for all the local WiFi networks. Everything needed to identify where you were and which computer was yours.

Risks when using Windows:

2. Your antivirus software. Do you trust your antivirus vendor to not collect any of that same data when they update your definitions? In many cases, Microsoft is your antivirus vendor. Symantec is widely used in government computer networks, how hard would the NSA have to push for them to collect this type of information?

3. Any other piece of software on your computer. You have a lot of leak vectors from many entities with unknown affiliations and loyalties. The more software you run, the more vectors there are.

These same risks apply equally to Apple or any other major software vendor.

My original post seems to have suffered truncation during editing, fortunately I have a copy of all except the closing paragraph. Unfortunately, that was probably the best part of the whole post.

To continue my previous post, with edits:

What is the solution to this? Linux is really your only option, and I do not mean Ubuntu. You should be using distros that don't update things automatically. You should have to initiate and approve updates. This means none of the popular distros are an option. Pure Debian may be an option. You should prefer a distro that is specifically built for security. I don't even pretend to be an expert other than to say that Tails and BackTrack may be options to explore.

(Note: The following is speculation about creating a more secure environment. It is not a complete guide.)

So how would I go about creating a secure environment? Layers and accident proofing is one way:

1. Buy a brand new laptop, with cash, at Walmart/Target/etc. You'll be able to get something decent and usable for under $500.

2. When you get home, do not even turn it on. Remove, destroy, and throw the wireless card in the trash, disconnect the webcam+mic (they will likely be together on the same ribbon cable), disable secure boot, and install your linux distro.

Why disable the webcam? You are not going to be broadcasting video, so why even have the hardware available for exploitation.
Why disable the mic? Another source that can compromise you if your machine gets "pwned".

3. OpenWRT router running OpenVPN 2.3.2 (included in the trunk as of July 2013).

a. Remove dnsmasq and dhclient. This means no DHCP, you are going to have to statically assign everything. (Have not looked at the particulars, could be in busybox requiring a source rebuid, dhclient removal may not be possible because of OpenVPN needing it)
b. When assigning IP addresses, do not add a default gateway or add an incorrect one. Instead, manually add the route to get to the IP address of your OpenVPN server.
c. Add iptables firewall rules to block all outgoing traffic not directed at the port and IP of the OpenVPN server. (Will this work? Certain other protocols may be required to be allowed to pass, someone that knows more should chime in)
d. (If possible) Add a startup script to change the WAN (wifi or ethernet, depends on the scenario and router) MAC address to a semi-random value (Keep within the same manufacturer to not arouse suspicion).
This means that the router you are behind prevents you from accomplishing leaks of any kind because the only route to the internet is when the OpenVPN tunnel is active. The router has no DNS server, it is not doing DNS relay, and it does not know what to do with the traffic so it rejects it.

4. Repeat step 3 for a second(or n) layer of protection, prefer router closest to the real internet to be connected to a VPN provider in a country that is very uncooperative with your local costumed thugs.

5. If you are using TOR for everything (good!), you should be running TAILS at this point.

Recap of Network Layers

TOR --> Router2/VPN2 (Say, CS.is) --> Router1/VPN1(Say, Vietnam or some other unfriendly country) -->ISP. All layers must be peeled back to find you.

So, to identify you:

1. Compromise TOR(If you were using TAILS, this would be unlikely) and determine that your IP points to VPN2 (CS.is)

2. Your traffic coming out of CS.is is bundled with hundreds or thousands of users and CS.is has no way of identifying who you are because you buy tokens over TOR from a broker with freshly tumbled bitcoins. So your identity is never on a (large) suspect list. They manage to tap CS.is without them commiting seppuku and track you down to VPN1.

3. Your traffic coming out of VPN1(same setup as CS.is) is bundled with hundreds or thousands of users and VPN1 has no way of identifying who you are because you buy tokens over TOR from a broker with freshly tumbled bitcoins. So your identity is never on a (large) suspect list. This assumes the second provider can be coerced into assisting. If they can, and they somehow figure out how to separate you from the noise, you are then completely screwed.

Cheap Router Setups

The TP-Link WR703n is a tiny wifi router with a USB port that will allow extra storage assuming that OpenVPN cannot be squeezed into the 4MB flash. - $26 on Amazon

Same router, pre-modded with 64MB RAM and 16MB flash available for $44 shipped. Search for SLBoat on ebay.

Advantage: Cheap, Small, USB powered, perfect replacement for a WiFi card if using only one OpenVPN.

SilkRoad: Purchasing identification documents (Do not purchase such documents for the "lolz", if I was the FBI I would be selling such documents just to have a list with photographs of people I should be watching. Look for a seller with a long history and only purchase documents if you have no alternative.)

Socializing on the "deepweb". In general, don't do it if you can avoid it. For the love of god, do not brag about actions you have taken in the past. If you really need someone to talk to, a good therapist is probably the best money you will ever spend.

Any other kind of illicit activity

That was just a quick list of identities that should be separate and never come into contact with each other. These identities should, under no circumstance, share the same:

Email Address, or provider if possible

Nickname/Handle or variation of any other.

Passwords

Bitcoin wallets

If you cannot device a method for deriving passwords based on the names you have chosen, at least use an encrypted password vault with a strong and UNIQUE password. This is probably your best option. Your password vault does not belong on your iPhone or Android phone. I don't care what kind of security you think you have. That is just another, unnecessary, attack vector. Your wallet should be encrypted with a unique password on top of the base TrueCrypt encryption that is necessary to launch the Linux OS hosting VMs with your separate identities. To pull this off, you need to remember a grand total of two passwords that are unique. Perhaps you should consider using mnemonic phrases?

Workflow to launch your identity for "socializing" on the deepweb:

Turn on laptop

Enter password for the truecrypt container with your VMs, not the diversion container with nothing but activity you would be proud to show your grandma.

Launch your password vault, enter the unique password protecting it, and grab the key labeled Babymuck. That is the random name you got as the seventh hit on this page and therefor the VM label and how you know which password goes to it.

Launch the VM, enter the password, clear the clipboard.

Inside this VM is where you keep any identity notes/passwords/usernames/wallet.dat password, inside another password vault.

Launch your stuff and do not leave the machine unattended. In fact, since you should be doing very little in the way to things that could result in data loss, remove the battery from the laptop. Clearing that ram (and all your information in memory) is just a power loss away.

Identity generation:
Do not pick your own nickname. Get a nickname generator, get a name generator, and just pick a random one (Say, name 23 on the third generation of the page, no matter how stupid the name sounds). Your nickname should say nothing about you and make no sense. OK, maybe your selling profile needs a little selection finesse, but no other identity should.

Let us pick a name from here. OK, today I want to make a new social identity, so I'm going to be a Pokemon. I select a Pokemon name, and decide that whatever name 12 is, that will be my name: My new social identity is Beefemon. That is my handle, don't argue, just go with it. I need a name to go along with it, so I click the two name generator and my new name is Leona Averesch. I guess I will be a woman from now on. You should be starting to get the picture.(Bonus points if you manage to pick a name that returns thousands of hits on google.)

Do not, under any circumstances, connect to any services that connects you to your real identities. This means that you cannot use an email service that requires a SMS verification. Leona/Beefemon only exists within the VM, your favorite websites do NOT.

Lignus wrote:My original post seems to have suffered truncation during editing, fortunately I have a copy of all except the closing paragraph. Unfortunately, that was probably the best part of the whole post.

I was the admin who did the formatting edits, and I offer you my sincere apologies. Despite auditing logfiles manually once I saw this note from you, I cannot provide even a theory as to how I managed to screw this up. Indeed, as with any copyediting task, care in ensuring no loss of underlying data is top priority.

And yet, somehow, I screwed this up.

I've done my best to recover the original from cached versions - server-side and client-side - but we deprecate caching in general terms and as a result there's not as much there as might otherwise be the case. Additional efforts to see if google might have cached/crawled the original post prior to my screw-up failed, along with a peek into the Wayback Machine.

My sincere regrets. To lose the words of someone else is unacceptable, particularly when doing "minor edits" not even requested by the author. I'm not sure what else to say, except that I will redouble my caution in the future to ensure this does not repeat itself. Looking back nearly two decades during which I've done various sysadmin/admin/moderator duties, I can't ever recall a mistake I've made that was this inexcusable, and this dumb.

If there's anything else I can do to make this right, for you, please let me know.

I've gone ahead and updated your forum permissions mask to allow you to edit your posts in this thread. That way, if you'd like to concatenate your posts into one combined post you can do so without my sloppy fingers being a threat vector to successful completion You can also pull text up into your original post in the thread - the one I unintentionally mangled - if you'd like that to be the authoritative version, as well as editing your post titles and so on.

The new permissions mask has been successfully tested; the "edit" button will show at the bottom of your posts, and does not have a time limit / expiry. If there's any issues with it, please let me know and I will resolve it at once.

PJ, not even concerned in the least. My original post was sloppy and the formatting needed fixing. If you notice, I followed your stylistic lead in formatting the rest of the posts. To add to that, the third post you see there was originally a paragraph with maybe ten sentences. As you can now clearly see, I expanded upon it greatly.

In all actuality, I lost five minutes of typing to your error. I happened to have a copy of the post before I added the closing paragraph, the one that turned into a full page when I did the rewrite.

As to consolidation. I am not even sure that consolidation is even preferable, since the subject seems to divide well into three general types of information. Besides, it is a lot easier for someone to digest it when it is broken up like this. They think they are close to the end, then I surprise them with another couple pages.

Edit: On the other hand, a one month token would be much appreciated. You would get a test of the OpenWRT setup I mentioned (only one layer) as well as TunnelBlick on Mac OS 10.9.

First off after the possibly backdoors in truecrypt with bad prng, crypto use, or password left in memory, is it at all plausible for HDD encryption by GPG/PGP? as there may be no way now, but could there be?

Also, whether network bridges stand up to any type of security, you could utilize ADHD Linux, which helps from disrupting attacker recon, monitors the network, active honeypots, etc, either in between the modem and router or after the router.

And I see bitmessage being very useful for email as well as the project for namecoin to actually be used as a DNS.

Guest wrote:First off after the possibly backdoors in truecrypt with bad prng, crypto use, or password left in memory, is it at all plausible for HDD encryption by GPG/PGP? as there may be no way now, but could there be?

Also, whether network bridges stand up to any type of security, you could utilize ADHD Linux, which helps from disrupting attacker recon, monitors the network, active honeypots, etc, either in between the modem and router or after the router.

And I see bitmessage being very useful for email as well as the project for namecoin to actually be used as a DNS.

{edit: fixed typo in "memory" ~admin}

There is still hope. TrueCrypt is getting audited. There is a Linux kernel security patch that will encrypt the contents of RAM while storing the key in a CPU debug register. This will prevent DMA attacks on a live machine. It does not completely prevent a ColdBoot attack, but it makes it a nightmare to even attempt one. There are ways of securing a router so that it becomes completely unresponsive(block all traffic destined for the router itself, but forward packets all day long) but still routes your traffic. I am not sure if there are attacks against a Linux router secured in such a fashion. As to LAN attacks, if they have made it that far, you're screwed anyways. They are unlikely to attempt monitoring your LAN before entering your home and seizing equipment.

You can use a passphrase that only takes seconds to enter, probably less than your 12-16 character "strong" password. With your traditional password, your speed is slowed by substituting numbers and symbols and hitting shift a lot. With a pass phrase, you simply type four to six words and you are in. A 32WPM typist would have the password typed in just 8-12 seconds. How long does it take you to type in "P4s$vv0rd!"? That is what I thought. Then you also have to remember it. Think about how much easier it would be to remember and type "clear tied moment trade". The best part is, you can vary the length and complexity to whatever level you want.

TOR + TOR serves little purpose. Compromising your identity over one layer of TOR means they can easily traverse the second layer. To add to this, neither you nor the destination end of your TOR session know how many hops to get to the center of the onion. You could be as little as two hops or as many as ten hops (wild speculation, I have not read the TOR docs).

There are three ways to compromise TOR, listed in descending order of likelihood:

You, revealing identifying information or what you have revealed in aggregate could be used to identity you. (This is why you keep separate identities and never, ever, boast about things that could result in a visit). Another possibility is that you do not practice good OpSec and connect to things you shouldn't on an open line.

Environment compromise: Identifying information was revealed as a result of system compromise, malware, 0-day (FOXACID), etc. This is why no WiFi and everything runs in a VM environment that looks like millions of other VMs.

Network Compromise: Someone manages to compromise the network that you are relying on for security. This means that TOR has been defeated, along with all the other layers of security. It is unlikely that there will be a convergence of TOR and the VPN connections being compromised at the same time.

It all comes down to this: If you practice good OpSec you are unlikely to be identified. If you do not, you're fucked.

As an additional note, do not do any extensive writing under a name which you do not wish to be associated with your true identity. Punctuation, grammar, verb-subject usage, meter, spelling, capitalization, vocabulary, and slang are all things which can allow someone to compare samples and identify if they are from the same author. I have written more than enough under this identity to be linked with identities that can easily be traced back to me. Fortunately, this identity was created specifically for interacting on this forum and thus it will not have any negative repercussions to have it linked back to me.

good to know. tor through tor was just a thought and I figured I would ask because while I at first think its has its pros, it has cons to, that I may not see sometimes.

On a related matter, I've seen many state to use Tor and then VPN through tor. Now you are unable to use .onion addresses unless using .onion.to, and all traffic through tor is encrypted. what's your take on that?

Bitmessage me with Questions, Help, or ChitChat - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT" Those who do not move, do not notice their chains." -Rosa Luxemburg

acid1c wrote:good to know. tor through tor was just a thought and I figured I would ask because while I at first think its has its pros, it has cons to, that I may not see sometimes.

On a related matter, I've seen many state to use Tor and then VPN through tor. Now you are unable to use .onion addresses unless using .onion.to, and all traffic through tor is encrypted. what's your take on that?

I'm not saying to not do layered TOR, I am just saying that the benefit factor is low to non-existent and the cost factor (latency, bandwidth) is high.

As to the question of VPN over TOR, that presents some interesting difficulties. I'm not even sure if a UDP VPN would function. TCP, yes, but you are probably looking at a large number of retransmissions.

While I am familiar with the existence of onion.to, I am not sure that it is usable for anything more than passive browsing. I am not sure if it allows session preservation that would enable signing into a forum. Either way, any password you type into it should be assumed to be compromised immediately.

Great video and great points in his talk. We do have one point of disagreement(VPN/TOR layering order), but I think that he would be more likely to agree with me given the changes in VPN models now available(sort of, what CS is doing needs to spread to more countries).

I spent most of the afternoon reading his analysis of OPSEC incidents that have occurred over the past year and he makes some great points.

He makes the point over and over again to never trust anyone. Excellent point, but you can use this to even greater advantage. Your alter persona should have a background, you should be taking notes on the things your alter persona says that are normally identifying. He mentions one of the lulzsec guys got caught in part because he revealed he had been in a county jail for two weeks on a drug charge and was currently on probation. If you have never been in jail or on probation, this would be an excellent statement to make about your alternate persona. Consistent and believable misdirection, but not too much, works in your favor.

Lignus wrote:Consider the FOXACID attack by the NSA. What if it had executed and recorded the results of the command “netsh wlan show all” which does not trigger UAC? Go ahead, run it on your own Windows Vista or newer Windows machine. You will observe your own MAC address, your card make and model, and the details for all the local WiFi networks. Everything needed to identify where you were and which computer was yours.

This is rendered null and void if the Windows User has tweaked their Windows Services... more specifically setting these to "manual" or "disabled (not sure about this one)"
1) WLAN AutoConfig Service (for the above example)... and to extend a bit further;
2) Wired AutoConfig Service